Protection of a computer or data network from undesired and unauthorized data disclosure, interception or alteration has been a perennial concern in the field of computer and network security. For example, firewall and anti-malware software have been developed to address security concerns for computers and networks connected to the Internet and to protect them from possible cyberattacks such as Trojan horse-type viruses or worms that may trigger undesired and unauthorized data disclosure by these computers and networks. However, for high security computer networks such as those used by government agencies and intelligence communities and certain commercial applications, conventional network security devices such as firewalls may not provide sufficiently reliable protection from undesired data disclosure.
Alternative network security methods and devices based on unidirectional data transfer have been devised to address the network security concern. For example, U.S. Pat. No. 5,703,562 to Nilsen (“the '562 Patent”), the content of which is hereby incorporated by reference in its entirety, provides an alternative way to address the network security concern. The '562 Patent discloses a method of transferring data from an unsecured computer to a secured computer over a one-way optical data link comprising an optical transmitter on the sending side and an optical receiver on the receiving side. By providing such an inherently unidirectional data link to a computer/data network to be protected, one can eliminate any possibility of unintended data leakage out of the computer/data network over the same link.
One-way data transfer systems based on such one-way data links provide network security to data networks by isolating the networks from potential security breaches (i.e., undesired and unauthorized data flow out of the secure network) while still allowing them to import data from the external source in a controlled fashion. FIG. 1 schematically illustrates an example of one such one-way data transfer system 100. In the one-way data transfer system shown in FIG. 1, two computing platforms (or nodes) 101 and 102 (respectively, “the Send Node” and “the Receive Node”) are connected to the unsecured external network 104 (“the source network”) and the secure network 105 (“the destination network”), respectively. The Send Node 101 is connected to the Receive Node 102 by a one-way data link 103, which may be an optical link comprising, for example, a high-bandwidth optical fiber. This one-way optical data link 103 may be configured to operate as a unidirectional data gateway from the source network 104 to the secure destination network 105 by having its ends connected to an optical transmitter on the Send Node and to an optical receiver on the Receive Node.
This configuration physically enforces one-way data transfer at both ends of the optical fiber connecting the Send Node 101 to the Receive Node 102, thereby creating a truly unidirectional one-way data link between the source network 104 and the destination network 105 shown in FIG. 1. Unlike the conventional firewalls, one-way data transfer systems based on a one-way data link are designed to transfer data or information only in one direction and it is physically impossible to transfer data or information of any kind in the reverse direction using that link. No information or data of any kind, including handshaking protocols such as those used in data transport protocols such as TCP/IP, SCSI, USB, Serial/Parallel Ports, etc., can travel in the reverse direction from the Receive Node back to the Send Node across the one-way data link. Such physically imposed unidirectionality in data flow cannot be hacked by a programmer, as is often done with firewalls. Accordingly, the one-way data transfer system based on a one-way data link ensures that data residing on the isolated secure computer or network is maximally protected from any undesired and unauthorized disclosure.
When two different network security domains need to communicate bilaterally, it is often desirable and necessary to apply different security policies or protocols to data flows in different directions. Preferably, data transfers from a low security domain to a high security domain are subject to fewer security restrictions, while a high security domain has a need to protect its data from the low security domain by carefully configured security protocols. For example, U.S. Pat. No. 7,992,209 to Menoher, et al., (“the '209 Patent”), the content of which is hereby incorporated by reference in its entirety, discloses a system for bilateral communication using two one-way data links Referring to FIG. 2, the system 201 in the '209 Patent comprises two computing platforms or nodes, Node A 202 and Node B 203, interconnected by two separate, oppositely directed one-way communication channels, Link R 204 and Link L 205. These one-way communication channels are deployed in parallel to enable bilateral communications between Node A and Node B, wherein Link R 204 is for unidirectional data transfer from Node A to Node B, while Link L 205 is for unidirectional data transfer in the opposite direction, from Node B to Node A. This arrangement forces all data traffic between Nodes A and B to flow unidirectionally through two entirely separate conduits, with each of the unidirectional data transfers across these conduits separately administered. The two links are separately administered by employing separate data transfer applications, interfaces and configuration files solely for the unidirectional data transfer in each direction, each set configured to prevent any cross-talk with the one-way communication channel for the opposite direction. In particular, in FIG. 2, Link R 204 is associated with data sending application 210 and interface 206 in Node A 202 and data receiving application 212 and interface 208 in Node B 203, while Link L 205 is associated with data sending application 213 and interface 209 in Node B 203 and data receiving application 211 and interface 207 in Node A 202. The one-way data links used in Link R 204 and Link L 205 in FIG. 2 may be of any type of data transfer conduit that is capable of enforcing unidirectional data flow. Examples of one-way data links and the corresponding network interface circuitry for enforcing unidirectional data flow through the links are disclosed in U.S. Pat. No. 8,068,415 to Mraz (“the '415 Patent”), the content of which is incorporated herein by reference in its entirety.
In FIG. 2, the data sending application 210 in Node A (or 213 in Node B) and data receiving application 212 in Node B (or 211 in Node A) in combination with proxy and session managing applications 220, 218 and 221, 219 respectively in Node A and Node B use Transmission Control Protocol/Internet Protocol (TCP/IP) as a user interface to the one-way data link in Link R 204 (or Link L 205). Examples of TCP-based one-way data transfer system are disclosed in U.S. Pat. No. 8,139,581 to Mraz et al. (“the '581 Patent”), the content of which is incorporated herein by reference in its entirety. The TCP proxy applications 220 and 221 are preferably TCP/IP socket-based proxy software, but may also be hardware-based or based on a suitable combination of software and hardware. The TCP proxy application 220 residing in Node A 202 fully implements TCP/IP-based bilateral communications between Node A and an external platform communicatively coupled to Node A, such as a remote terminal client 222 shown in FIG. 2. Likewise, the TCP proxy application 221 residing in Node B 203 fully implements TCP/IP-based bilateral communications between Node B and an external platform communicatively coupled to Node B, such as a remote terminal server 223 shown in FIG. 2.
The TCP session managing applications 218 and 219 are software-based applications for maintaining one or more TCP sessions. The session managing application 218, 219 in each node 202, 203 “splits” the bilateral communication channel between the node and corresponding remote terminal 222, 223 into two unidirectional communication channels based by strictly enforcing a separation of data coming from the remote terminal client 222, 223 and data coming via the data receiving application 211, 212.
The system shown in FIG. 2 simulates the TCP/IP protocol between the remote terminal client 222 and the remote terminal server 223 across the one-way data link in Link R 204 by replacing the IP information in the received data with pre-assigned channel numbers, so that no IP information is sent across the one-way data link. IP routes are pre-defined in the form of complementary channel mapping tables associated respectively with the data sending application 210 in Node A and data receiving application 212 in Node B. The data receiving application 212 then replaces the channel numbers in the received data with IP information from the channel mapping table and forwards the modified data to the TCP session managing application 219. The session managing application 219 maintains one or more TCP sessions and routes the received data packets or files from the data receiving application 212 to the proxy application 221. The TCP proxy application 221 in Node B fully implements the TCP/IP protocol in its bilateral communications with the remote terminal server 223, requests a socket connection and delivers the data received from the remote terminal client 222 to the remote terminal server 223. The same process is used to transfer data from remote terminal server 223 to remote terminal client 222, as discussed in further detail in the '209 Patent, but using data sending and receiving applications, interfaces and configuration files that are entirely separate from those associated with the one-way data transfer from remote terminal client 222 to remote terminal server 223.
The system shown in FIG. 2 and described above can support the inherently different security checks and restrictions required for transferring data from a lower security domain to a higher security domain and for transferring data from it (e.g., the situation where the client requesting data is in a lower security domain). In addition, that system can also support the inherently different security checks and restrictions required for transferring data from a higher security domain to a lower security domain and for transferring data from it (e.g., the situation where the client requesting data is in a higher security domain). However, the types of transfers allowed require some a priori knowledge of the information being requested. In addition, the data being transferred from the client to the server is completely independent from the data being transferred from the server to the client and the data is transmitted in a raw byte stream without any indication of message boundaries. This makes it difficult to filter data, for example, based on message type.
The Network File System (NFS) is a standard network client/server protocol used to allow computers to mount a remote disk partition and transparently access it as if it were a local disk. In operation, an NFS client on a user computer communicates with a remote server where the remote disk is located using Remote Procedure Call (RPC) protocol in order to implement an access to files located on the remote disk. An RPC is an inter-process communication that allows a client to cause a subroutine or procedure to execute in another address space (e.g., on a known remote server) without the programmer explicitly coding the details for this remote interaction. An RPC is initiated by the client, which sends a request message to the known remote server to execute a specified procedure with supplied parameters. The remote server sends a response to the client, and the application continues its process. NFS operates based on matched RPC requests/replies, thus an implementation of NFS across the bilateral communication system of FIG. 2 would provide less than optimal results, for example due to a difficulty in filtering the raw message stream.
Hence, it is an object of the present invention to overcome the problems with the prior art and to provide an NFS implementation over a bilateral data transfer system comprising two or more one-way data links.